CERTIFICATE_DOMAIN_MISMATCH when using wildcard certificate

Christian_S · November 26, 2023, 6:38pm

Hi,

I'm using pihole as plain setup with a wildcard certificate.

pihole throws a error message that the wildcard (*.domain.tld) does not match the domain (subdomain.domain.tld)

SSL/TLS certificate /etc/nginx/ssl/domain.tld does not match domain pi.domain.tld !

DL6ER · November 26, 2023, 9:28pm

Ah yes, I guess nobody had thought about wildcard certificates when implementing this change. Thank you for your very concise bug report!

Could you please try

pihole checkout ftl fix/wildcard_crt_check

and see if this fixes the problem? You can also use the CLI tool to test this more easily by running

pihole-FTL --read-x509 "/etc/nginx/ssl/domain.tld" "pi.domain.tld"

and seeing if it says there is a match (or not). You can also run

pihole-FTL --read-x509 "/etc/nginx/ssl/domain.tld"

without a domain to see how Pi-hole parses your certificate file.

https://github.com/pi-hole/FTL/pull/1782

deHakkelaar · November 28, 2023, 10:31pm

Wildcard certs are not recommended from a security point of view:

Con:
The biggest concern with wildcard certificates is that when one server or sub-domain covered by the wildcard is compromised, all sub-domains may be compromised. In other words, the upfront simplicity of the wildcard can create significant problems should things go wrong.

I've also read about attacks involving wildcard certs.

Safer to create a SAN cert (Subject Alternative Name) containing all the domains you want to secure!
If use certbot:

$ man certbot
[..]
   -d DOMAIN, --domains DOMAIN, --domain DOMAIN
       Domain names to apply. For multiple domains you can
       use multiple -d flags or enter a comma separated list
       of domains as a parameter. The first domain provided
       will be the subject CN of the certificate, and all
       domains will be Subject Alternative Names on the
       certificate. The first domain will also be used in
       some software user interfaces and as the file paths
       for the certificate and related material unless
       otherwise specified or you already have a certificate
       with the same name. In the case of a name collision it
       will append a number like 0001 to the file path name.
       (default: Ask)

EDIT:

$ openssl s_client -connect chess.com:443 -servername www.chess.com </dev/null 2>/dev/null | openssl x509 -noout -text | grep 'Subject:.* CN =\|Alternative Name\|DNS:'
        Subject: CN = chess.com
            X509v3 Subject Alternative Name:
                DNS:blog.chess.com, DNS:chess.com, DNS:chesskid.com, DNS:chesskids.com, DNS:chesspark.com, DNS:merch.chess.com, DNS:pogchamps.chess.com, DNS:shop.chess.com, DNS:shop.chesskid.com, DNS:www.chesskids.com, DNS:www.chesspark.com

halhalhal · March 9, 2025, 7:11pm

my wildcard certificate works now without warning after update from pi.hole 6.0.2 to 6.0.4. Thank you.